Hello everyone, I'm currently setting up a lot of alarms in Splunk, and a question has arisen regarding what is better in terms of time. We've considered two scenarios: latest=-5m@m latest=now If I run the alarm every 5 minutes, I naturally want to avoid having "gaps" in my search.  I thinks both options will work but iam not 100% sure. I appreciate any insights on this. Thank you. ... View more

Hello to all, i have the following Issue: I receive logs from an older machine for which I cannot adjust the logging settings. When extracting data in Splunk, I encounter the following field and some values: id = EF_jblo_fdsfew42_sla id = EF_space_332312_sla id = EF_97324_pewpew_sla with a field extraction I then get my location from the id. For example: id = EF_jblo_fdsfew42_sla         => location = jblo id = EF_space_332312_sla       => location = space id = EF_97324_pewpew_sla     => location = 97324 <- where this is not a location here.   Now, I aim to replace the location using an automatic lookup based on the ID "EF_97324_pewpew_sla." Unfortunately, I encounter an issue where I either retrieve only the location from the table, omitting the rest, or I only receive the values extracted from the field extraction. I've reviewed the search sequence as per the documentation, ensuring that field extraction precedes lookup. However, I'm perplexed as to why it consistently erases all the values rather than just overwriting a single one. Is there an automated solution running in the background, similar to automatic lookup, that could resolve this? Thought lookup: ID Solution EF_97324_pewpew_sla TSINOC   My original concept was as follows: Data is ingested into Splunk. Using field extraction to extract the location from the ID. For the IDs where I am aware that they do not contain any location information, I intend to replace the extracted value with the lookup data. I wanted to run the whole thing in the "background" so that the users do not have to run it as a search string. I also tried to use calculated fields  to build one from two fields, but since the calculation takes place before the lookup, this was unfortunately not possible. Hope someone can help me. Kind regards, Flenwy ... View more

Hello to all, I have a multivalue field with a date and also a null value. In addition I have the problem that the format of the date is twisted from the original data. Hope someone can help me 🙂 example: outputdates (mv-field) 2023-07-29 12:06:20 28-07-2023 00:03:05 null needed result: outputdates (mv-field) 2023-07-29 12:06:20 2023-07-28 00:03:05 i tried splitting the field with mvexpand and then using strftime to adjust the format, unfortunately this is not working and i don't know exactly why. Do I need to transform the "outputdates" as a time field to make strtime work again? Am any help grateful. Many greetings, Flenwy ... View more